[unisog] DNS over TCP should we block

Florian Weimer fw at deneb.enyo.de
Wed Jan 5 00:24:26 GMT 2005

* Reg Quinton:

>> DNS over TCP should be permitted, in both directions.  Some things
>> will break if you do not allow it.
> I'll disagree.
> Assuming your clients are configured to use campus name servers there's no 
> need to open DNS over TCP (and UDP) to everyone -- constrain it to just your 
> campus DNS name servers.

Yes, if you are running in whitelist mode.

Those who are still running blacklists face some problems, but not
with TCP.  TCP is relatively harmless in that aspect because it's TCP
(and thus suitable for unidirectional stateless filtering).  A 53/TCP
permit is not too dangerous, either (modulo zone file transfers).
Furthermore, the BIND 8 worm never happened. 8->

OTOH, we had quite a lot of trouble with UDP.  For several years
(after we switched from a blacklist to a whiteles), we had incoming
rules like these:

  permit udp any eq 53 any eq 53
  permit udp any eq 53 any gt 1023

(Same for active FTP, BTW.)  The reason was that we believed (and I
still do) in stateless packet filtering.  It's simply so much more
robust than reflexive access lists/connection tracking/whatever.
Fortunately, our flow logs showed that these rules were probably never
used for illegitimate purposes.

The network in question finally registered all DNS servers and
resolvers, and switched to a tight whitelist.  I designed two rules
for the resolver cases, corresponding to the two ACL entries shown
above.  Migration was mostly painless.  (Today, it would be even
easier because passive DNS replication can be used to obtain a
conclusive list of all name servers.)  Decommission of active FTP
happened at the same time, but was far more troublesome for all the
involved parties.  Surprisingly many anti-virus software used active
FTP for downloading new signatures, for example.

More information about the unisog mailing list